Container admission policy
A container admission policy (ContainerAdmissionPolicy) represents an ordered set of rules which are applied to a
collection of containers that match a label selector.
ContainerAdmissionPolicy is a cluster resource. ContainerAdmissionPolicy can be restricted to a set of namespaces
using a namespace selector.
Sample YAML
This sample policy allows admission requests for pod creating resources whose image is in the registry / repository
gcr.io/company/production-repository/* with a scan status of either Pass or Warn, and rejects all other admission
requests.
apiVersion: containersecurity.tigera.io/v1beta1
kind: ContainerAdmissionPolicy
metadata:
name: reject-failed-and-non-gcr
spec:
selector: all()
namespaceSelector: all()
order: 10
rules:
- action: "Reject"
imagePath:
operator: IsNoneOf
values:
- "^gcr.io/company/production-repository/.*"
- action: Allow
imageScanStatus:
operator: IsOneOf
values:
- Pass
- Warn
- action: Reject
Container admission policy definition
Metadata
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| name | The name of the network policy. Required. | Alphanumeric string with optional ., _, or -. | string |
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| order | Controls the order of precedence. Calico Cloud applies the policy with the lowest value first. | float | ||
| selector | Selects the resources to which this policy applies. | selector | all() | |
| namespaceSelector | Selects the namespace to which this policy applies. | selector | all() | |
| rules | Ordered list of rules applied by this policy. | List of Rule |
Rule
A single rule matches a set of pod creating resources and applies some action to them. Multiple rules are executed in order.
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| action | Action to perform when matching this rule. | Allow, Reject | string | |
| imagePath | Image path matching criteria. | String Values Match | ||
| imageScanStatus | Vulnerability scan status criteria. | String Values Match | ||
| imageLastScan | Criteria for the last time the containers image was scanned. | Time Match |
Selector
A label selector is an expression which either matches or does not match a resource based on its labels.
Calico Cloud label selectors support a number of operators, which can be combined into larger expressions using the boolean operators and parentheses.
| Expression | Meaning |
|---|---|
| Logical operators | |
( <expression> ) | Matches if and only if <expression> matches. (Parentheses are used for grouping expressions.) |
! <expression> | Matches if and only if <expression> does not match. Tip: ! is a special character at the start of a YAML string, if you need to use ! at the start of a YAML string, enclose the string in quotes. |
<expression 1> && <expression 2> | "And": matches if and only if both <expression 1>, and, <expression 2> matches |
<expression 1> || <expression 2> | "Or": matches if and only if either <expression 1>, or, <expression 2> matches. |
| Match operators | |
all() | Match all in-scope resources. To match no resources, combine this operator with ! to form !all(). |
global() | Match all non-namespaced resources. Useful in a namespaceSelector to select global resources such as global network sets. |
k == 'v' | Matches resources with the label 'k' and value 'v'. |
k != 'v' | Matches resources without label 'k' or with label 'k' and value not equal to v |
has(k) | Matches resources with label 'k', independent of value. To match pods that do not have label k, combine this operator with ! to form !has(k) |
k in { 'v1', 'v2' } | Matches resources with label 'k' and value in the given set |
k not in { 'v1', 'v2' } | Matches resources without label 'k' or with label 'k' and value not in the given set |
k contains 's' | Matches resources with label 'k' and value containing the substring 's' |
k starts with 's' | Matches resources with label 'k' and value starting with the substring 's' |
k ends with 's' | Matches resources with label 'k' and value ending with the substring 's' |
Operators have the following precedence:
- Highest: all the match operators
- Parentheses
( ... ) - Negation with
! - Conjunction with
&& - Lowest: Disjunction with
||
For example, the expression
! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}
Would be "bracketed" like this:
((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))
It would match:
- Any resource that did not have label "my-label".
- Any resource that both:
- Has a value for
my-labelthat starts with "prod", and, - Has a role label with value either "frontend", or "business".
Understanding scopes and the all() and global() operators: selectors have a scope of resources
that they are matched against, which depends on the context in which they are used. For example:
-
The
nodeSelectorin anIPPoolselects overNoderesources. -
The top-level selector in a
NetworkPolicyselects over the workloads in the same namespace as theNetworkPolicy. -
The top-level selector in a
GlobalNetworkPolicydoesn't have the same restriction, it selects over all endpoints including namespacedWorkloadEndpoints and non-namespacedHostEndpoints. -
The
namespaceSelectorin aNetworkPolicy(orGlobalNetworkPolicy) rule selects over the labels on namespaces rather than workloads. -
The
namespaceSelectordetermines the scope of the accompanyingselectorin the entity rule. If nonamespaceSelectoris present then the rule'sselectormatches the default scope for that type of policy. (This is the same namespace forNetworkPolicyand all endpoints/network sets forGlobalNetworkPolicy) -
The
global()operator can be used (only) in anamespaceSelectorto change the scope of the mainselectorto include non-namespaced resources such as GlobalNetworkSet. This allows namespacedNetworkPolicyresources to refer to global non-namespaced resources, which would otherwise be impossible.
StringValueMatch
A string values match does a match or negative match on a target against a set of values.
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| operator | Match operator to use against the list of values | IsOneOf, IsNoneOf | string | |
| values | List of values to match against. | list of strings |
TimeMatch
A time match does a match or negative match against a time or duration.
Duration is the length of time into the past from the current time to match against. As an example,
operator: "gt"
duration:
days: 3
is false for 4 days prior to the current date time, and true for 2 days prior to current date time.
Time is the absolute time to match a given time against. As an example,
operator: "gt"
time: "2022-01-02T0:00:00Z"
is false for "2022-01-01T0:00:00Z", and true for "2022-01-03T0:00:00Z".
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| operator | Match operator to use against the duration or time. | gt, lt | string | |
| duration | The duration that this operator matches within. | Duration | ||
| time | List of values to match against. | String of the format "2006-01-02T15:04:05Z07:00" |
Duration
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| days | Number of days past from the current time. | integer | ||
| months | Number of months past from the current time. | integer | ||
| years | Number of years past from the current time. | integer |
Supported operations
| Datastore type | Create/Delete | Update | Get/List | Notes |
|---|---|---|---|---|
| Kubernetes API datastore | Yes | Yes | Yes |